aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSteve Freegard <steve@stevefreegard.com>2017-03-23 21:27:02 +0000
committerSteve Freegard <steve@stevefreegard.com>2017-03-23 21:27:02 +0000
commitc53dd6be7203038a0be6e73f1eb4beeeecd65b91 (patch)
tree88c01448d83d955c0b30a83fc5b3b269d1d6c15b
parent7021ddcc38a0f05b2bf69849f645a848e06be1e2 (diff)
downloadrspamd-c53dd6be7203038a0be6e73f1eb4beeeecd65b91.tar.gz
rspamd-c53dd6be7203038a0be6e73f1eb4beeeecd65b91.zip
New rules
Diffstat
-rw-r--r--conf/composites.conf10
-rw-r--r--rules/misc.lua23
-rw-r--r--rules/regexp/headers.lua6
-rw-r--r--rules/regexp/misc.lua7
4 files changed, 43 insertions, 3 deletions
diff --git a/conf/composites.conf b/conf/composites.conf
index 9565ae489..947fa7fbb 100644
--- a/conf/composites.conf
+++ b/conf/composites.conf
@@ -61,6 +61,16 @@ composites {
expression = "HAS_X_POS & HAS_WP_URI & PHISHING";
policy = "leave";
}
+ COMPROMISED_ACCT_BULK {
+ expression = "HAS_XOIP & DCC_BULK";
+ description = "Likely to be from a compromised webmail account";
+ score = 3.0;
+ }
+ UNDISC_RCPTS_BULK {
+ expression = "DCC_BULK & (MISSING_TO | R_UNDISC_RCPT)";
+ description = "Missing or undisclosed recipients with a bulk signature";
+ score = 3.0;
+ }
.include(try=true; priority=1; duplicate=merge) "$LOCAL_CONFDIR/local.d/composites.conf"
.include(try=true; priority=10) "$LOCAL_CONFDIR/override.d/composites.conf"
diff --git a/rules/misc.lua b/rules/misc.lua
index e289215c9..db754a98e 100644
--- a/rules/misc.lua
+++ b/rules/misc.lua
@@ -406,7 +406,8 @@ rspamd_config:register_symbol{
score = 0,
}
-rspamd_config.SPOOF_DISPLAY_NAME = {
+local check_from_display_name = rspamd_config:register_symbol{
+ name = 'CHECK_FROM_SPOOF',
callback = function (task)
local from = task:get_from(2)
if not (from and from[1] and from[1].name) then return false end
@@ -420,16 +421,32 @@ rspamd_config.SPOOF_DISPLAY_NAME = {
local to = task:get_recipients(2)
-- Be careful with undisclosed-recipients:; as domain will be an empty string
if not (to and to[1] and to[1]['domain'] and to[1]['domain'] ~= '') then
+ task:insert_result('FROM_NEQ_DISPLAY_NAME', 1.0, from[1]['domain'], parsed[1]['domain'])
return false
end
if util.strequal_caseless(to[1]['domain'], parsed[1]['domain']) then
- return true,from[1]['domain'],parsed[1]['domain']
+ task:insert_result('SPOOF_DISPLAY_NAME', 1.0, from[1]['domain'], parsed[1]['domain'])
+ return false
end
end
return false
end,
+}
+
+rspamd_config:register_symbol{
+ type = 'virtual',
+ parent = check_from_display_name,
+ name = 'SPOOF_DISPLAY_NAME',
description = 'Display name is being used to spoof and trick the recipient',
- score = 8.0
+ score = 8,
+}
+
+rspamd_config:register_symbol{
+ type = 'virtual',
+ parent = check_from_display_name,
+ name = 'FROM_NEQ_DISPLAY_NAME',
+ description = 'Display name contains an email address different to the From address',
+ score = 4,
}
rspamd_config.SPOOF_REPLYTO = {
diff --git a/rules/regexp/headers.lua b/rules/regexp/headers.lua
index f58feeaf8..af63d7131 100644
--- a/rules/regexp/headers.lua
+++ b/rules/regexp/headers.lua
@@ -899,3 +899,9 @@ reconf['X_PHPOS_FAKE'] = {
group = 'headers'
}
+reconf['HAS_XOIP'] = {
+ re = "header_exists('X-Originating-IP')",
+ description = "Has X-Originating-IP header",
+ score = 0.0,
+ group = 'headers'
+}
diff --git a/rules/regexp/misc.lua b/rules/regexp/misc.lua
index 2fc194965..5f5b437b6 100644
--- a/rules/regexp/misc.lua
+++ b/rules/regexp/misc.lua
@@ -40,3 +40,10 @@ reconf['DATA_URI_OBFU'] = {
score = 2.0
}
+reconf['INTRODUCTION'] = {
+ re = '/\\b(?:my name is\\b|(?:i am|this is)\\s+(?:mr|mrs|ms|miss|master|sir|prof(?:essor)?|d(?:octo)?r|rev(?:erend)?)(\.|\\b))/{sa_body}i',
+ description = "Sender introduces themselves",
+ score = 2.0,
+ group = 'scams'
+}
+
generated by cgit v1.2.3 (git 2.39.1) at 2024-12-26 16:03:12 +0000